PRIVACY POLICY FOR DATA HUB

Thank you for visiting the Data Hub. At Volkswagen Group Info Services AG we take data protection very seriously.

We have drafted this Privacy Policy to inform you about how we collect, use, disclose and otherwise process Personal Data as well as about your rights under the GDPR. With this Privacy Policy, we inform you about the processing of your Personal Data when visiting our website, when registering for and using the Data Hub, and when communicating with us regarding the Data Hub. Please find the definitions of the capitalized terms used in this Privacy Policy in the Annex below.

1. For whom is this Privacy Policy?

This Privacy Policy covers our processing of Personal Data under applicable data protection laws and regulations with respect to our website and the Data Hub.

By making this Privacy Policy available to you, we comply with our information obligations. In certain cases, the information provided in this Privacy Policy is only applicable based on your location; where this is true, we will address which information is applicable to you expressly in the Privacy Policy. Please note that this Privacy Policy shall not confer upon you any rights or obligations that are not conferred upon you by applicable data protection laws and regulations.

2. Who are we and how can you contact us?

The Controller of your Personal Data is Volkswagen Group Info Services AG, Berliner Ring 2, 38440 Wolfsburg, Germany.

You may contact us via mail at volkswagen.group.data.business@cariad.technology with questions about this Privacy Policy, the processing of your Personal Data in general and to exercise your rights as a data subject as outlined below in section no. 8.

You can reach our data protection officer by mail at the aforementioned address, adding “Data Protection Officer” or by email at privacy@cariad.technology.

Please be informed, that when using the above email-address, not only the data protection officer might gain knowledge of your inquiry. If you want to contact the data protection officer in confidentiality, please send another mail upfront.

3. Where do we collect your data?

We collect your Personal Data when you just use the website (3.1) or when you are registered and logged in to the Data Hub (3.2 - 3.3), when you are registered and logged in to the Data Hub Sandbox (3.4), and when you contact us via email or when using the contact form on this website (3.5) and when you exercise your data subject rights (3.6).

3.1 Website (Visitor)

For visiting the website without logging in, we collect the necessary technical data to securely provide the website (see data categories below).

3.2 Data Hub (B2B Customer)

In order to register for and log in to the Data Hub, you have to use the Single-Sign-On solution ONE Business ID, which is provided by Volkswagen AG. To enter the Data Hub, the following alternatives are available:

• You already have a One Business ID account from Volkswagen AG and you use these account data to log in to the Volkswagen Group Info Services AG Data Hub.

Or

• You create your own Volkswagen AG One Business ID account at: https://onebusinessid.com/. Then you can log in to the Volkswagen Group Info Services AG Data Hub with this account data.

With regard to your creation, usage and management of ONE Business ID, Volkswagen AG acts as independent single controller under GDPR. You can find Volkswagen AG's ONE Business ID controller Privacy Policy here: https://onebusinessid.com/legal.

The Personal Data processed by Volkswagen Group Info Services AG falls into the following categories:

• Identification details (should you contact us about the website or the Data Hub or register your company as a potential Data Provider or Customer), such as your first name and last name;
  
• Necessary ONE Business ID login data from Volkswagen AG for a successful access to Volkswagen Group Info Services AG's Data Hub;
• Data Provider registration details, i.e. data related to registration as a potential Data Provider, such as company name, country;
• Website data, such as your IP address, the name of your internet service provider, the operating system and the browser you use as well as your browser language;
• Location information, such as general location information (e.g. city/state and/or postal code associated with your IP address).
• You are generally not required to provide your Personal Data to us. However, in order to enable and facilitate access to the website and features provided via the website, we require certain Personal Data (e.g. contact details if you contact us as we are otherwise unable to respond). Hence, if you do not provide such Personal Data, we might not be able to provide all features available via the website to you (e.g. contacting Volkswagen Group Info Services AG via the website). You cannot gain access and use the Data Hub without registration as a potential Data Provider or Customer.

3.3 Consent Portal (B2C Customers)

The Consent Portal (consent.drivesomethinggreater.com) is used to collect B2C customer's (Data Subject) consent for personalized data products offered by the Volkswagen Group Info Services AG. To access the Consent Portal the customer needs to be provided with a specific link from the B2B Partner of the Volkswagen Group Info Services AG.

Additional requirements for using the Volkswagen Group Info Services AG Consent Portal:

In order to register for and log into the Consent Portal, you have to use the Single-Sign-On solution VW ID, which is provided by Volkswagen AG. To enter the Consent Portal, the following alternatives are available:

• You already have a VW ID account from Volkswagen AG and you use these account data to log into the Volkswagen Group Info Services AG Consent Portal.

Or

• You create your own Volkswagen AG VW ID account at: https://vwid.vwgroup.io. Then you can log into the Volkswagen Group Info Services AG Consent Portal with this account data.
  

With regard to your creation, usage and management of VW ID, Volkswagen AG acts as independent single controller under GDPR. You can find Volkswagen AG's VW ID controller Privacy Policy here: https://vwid.vwgroup.io/data-privacy.

The Volkswagen Group Info Service AG uses the Volkswagen AG's VW ID as service for user identification and storage of the actual consent status related to Volkswagen Group Info Service AG personalized data products.

3.4 Data Hub Sandbox (B2B Customers)

The Data Hub Sandbox (sandbox.drivesomethinggreater.com) serves as a testing environment for our B2B partners, in order for you

• to get to know the data products offered by Volkswagen Group Info Services AG.
• to capture the character/user experience of the data APIs and formats of our data products

The data products provided in the sandbox include solely non-personal, synthetic test data.

To access the Sandbox the B2B customer receives an invitation via email upon request from the Volkswagen Group Info Services Sandbox Team.

The following information will be processed for the registration and use of the Data Hub Sandbox:

• Contact details (such as your email address)
• Identification details (such as your first name and last name)
• Once logged in, your API requests, including user specific data (such as your username, user token, time of request)

3.5 Contact Us (contact form)

When you contact us (email or contact form), we will use the included information contact information (see below) to

• help you with your inquiry
• if necessary, forward the included information to the relevant bodies and
• document a proper handling of your inquiry.

The following information will be processed:

• Identification details (should you contact us about the website or the Data Hub or register your company as a potential Data Provider or Customer), such as your first name and last name;
• Contact details (should you contact us about the website or the Data Hub or register your company as a potential Data Provider or Customer), such as your email address, phone number, fax number and address (among others ZIP code, city, state, country), job title;
• Message details, i.e. data included in your messages sent to Volkswagen Group Info Services AG via the website or via email, such as the company you work for/on behalf of which you contact Volkswagen Group Info Services AG, country in which you are located, area of interest on which your message is based and the contents of your message;
• Customer registration details, i.e. data related to registration as potential Customer, such as company name, country;

3.6. Fulfillment of data subject rights

When you exercise your data subject rights (see under 10.) the following data can be processed to fulfill your request:

• Identification & authentication data as far as necessary (Art. 12 par.6 GDPR);
• The data required to fulfill the requested data subject right (Art. 15 - Art. 21 GDPR);
• Documentation of the process as necessary (Art. 5 par. 2 GDPR).

4. How do we process your Personal Data?

General

We process your Personal Data for the purposes set forth in the table below. With respect to some specific purposes of processing you will find additional information below the following table.

Purpose of processing	Purpose of processing Legal basis	Legitimate interest(s) (where relevant)	Catogies of Personal Data
To provide the Website	§ 25(2) Nr. 2 TTDSG in conjunction with Art. 6(1) lit. f GDPR	To provide you a telemedia service and to present and develop our business.	Website data, location information
To provide a protected Website area (B2B Customers, B2C Customers and data subjects)	§ 25(2) Nr. 2 TTDSG in conjunction with Art. 6(1) lit. b / lit. f GDPR	Providing a protected website area accessible to B2B Customers, B2C Customers and data subjects only.	Identification details, contact details, registration details
To contact you and provide you with information, which you have requested	§ 25(2) Nr. 2 TTDSG in conjunction with Art. 6(1) lit. b / lit. f GDPR	Communicating with you upon your request.	Identification details, contat details, message details, Data Provider or Customer registration details
To detect disruptions and to ensure the security of the Website, the Data Hub and our systems, including the detection and tracing of (the attempt of) unauthorized access to our web servers	§ 25(2) Nr. 2 TTDSG in conjunction with Art. 6(1) lit. b / lit. f GDPR	Resolving disruptions and ensuring the security of the Website, the Data Hub and our systems.	Website and Data Hub activity data, location information, identification details
To enable corporate transactions (including sale of all or part of our asset(s) and/or activity(ies))	Art. 6(1) lit. f GDPR	We may have a legitimate interest in disclosing information to (potential) buyers or acquirers and their external counsels in certain scenarios.	Identification details, contact details, message details, supplier registration details, press distribution list details
To establish, exercise or defend legal claims	Art. 6(1) lit. f GDPR	We have a legitimate interest in the establishment, exercise and defense of legal claims.	Identification details, contact details, message details, Data Provider and Customer registration details, Website data, location information
To comply with legal obligations to which we are subject (e.g. deriving from tax law, or foreign trade law)	Art. 6(1) lit. c GDPR	German Abgabenordung (German Tax Code), German Handelsgesetzbuch (German Commercial Code), etc.	Identification details, contact details, message details, Data Provider registration details, Website data, location information
To carry out compliance investigations	Art. 6(1) lit. f GDPR	We have a legitimate interest in carrying out compliance investigations to safeguard that we comply with our legal obligations.	Identification details, contact details, message details, Data Provider registration details, Website data, location information
For any of the above listed purposes it might be necessary to transfer data to our Affiliates	Art. 6(1) lit. f GDPR	We, as part of the Volkswagen Group, have a legitimate interest in transferring your Personal Data within the group for internal administrative purposes.	The data categories correspond to those listed with respect to the revelant purpose for processing
To collect and record the B2C customer’s consent for personalized data products	Art. 6(1) lit. a / lit. f GDPR	Enabling data consumption of personalized data products for B2B Partners with the consent of the B2C customer.	Identification details, consent decision, consent timestamp, vehilce identification number

5. Log files

As indicated in the table above, we save website data including log files for the purpose of determining disruptions and ensuring security of the website, the Data Hub and our systems.

6. Cookies

Cookies not deleted by you will expire after the time span indicated in the Privacy Policy.

7. Who has access to your Personal Data (recipients of Personal Data)?

We may share your Personal Data with the following recipient(s) :

• When using a personalized data product, we share your technical user identification ID and consent status with the legitimate data recipient of the specific data product. For more information of all our personalized data products please follow the provided link.

We may share your Personal Data with service providers that process Personal Data on our behalf and subject to our instructions as so-called Processors, for the purpose of providing their professional services to us:

• IT service provider as data processor: CARIAD SE, Berliner Ring 2, 38440 Wolfsburg
• B2C Customer consent status collection and storage is provided by Volkswagen AG
• Separate controllership for running VW ID: Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg, VW ID Privacy Policy: https://vwid.vwgroup.io/data-privacy
• Separate controllership for running ONE Business ID: Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg, ONE Business ID Privacy Policy: https://onebusinessid.com/legal.

We may share your Personal Data with the following third parties:

We may share your Personal Data with Affiliates for the purposes listed in section no. 4 above.

• Other third parties:
• State authorities (including tax authorities and law enforcement agencies) for the purpose of compliance with laws and regulations applicable to us
• Consultants (lawyers and auditors) for the purpose of compliance with legal obligations, corporate transactions and safeguarding our rights
• Courts for the purpose of safeguarding our rights
• Potential buyers or acquirers of all or part of our asset(s) and/or activity(ies) for the purpose of corporate transactions

The legal bases relevant for the transfer of Personal Data to third parties can be found in section no. 4 above.

8. Do we transfer your data internationally (third country transfers)?

We process your Personal Data exclusively within the European Economic Area and do not transfer it to third countries.

9. How long do we store your data?

General

Your Personal Data will generally only be stored until they are no longer necessary in relation to the purposes for which they were collected (or otherwise processed).

As an exception, Personal Data may be stored longer where their processing is necessary for compliance with a legal obligation - including compliance with statutory retention periods - to which we are subject or for the establishment, exercise or defense of legal claims.

Cookies

Cookies not deleted by you will expire after the time span indicated in our Cookie Policy.

10. What rights do you have with respect to your Personal Data?

You have the following rights under the GDPR provided that the legal requirements are met:

i. Right of access. You may request information about the processing of your Personal Data and a copy of the Personal Data undergoing processing insofar as such copy does not adversely affect the rights and freedoms of others.

ii. Right to rectification. You may request correction of your Personal Data that is inaccurate and/or completion of such data which are incomplete.

iii. Right to erasure. You may request deletion of your Personal Data, in particular where (i) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, (ii) you objected to the processing and there are no overriding legitimate interests for the processing, (iii) your Personal Data has been unlawfully processed or (iv) your Personal Data has to be erased for compliance with a legal obligation to which we are subject. The right to deletion, however, does not apply in particular where the processing of your Personal Data is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims.

iv. Restriction of processing. You may request restriction of processing (i) for the period in which we verify the accuracy of your Personal Data if you contested its accuracy, (ii) where the processing is unlawful and you request restriction of processing instead of deletion of the data, (iii) where we no longer need the Personal Data, but you require the data for the establishment, exercise or defense of legal claims or (iv) if you objected to processing until it has been verified whether our legitimate grounds override your interests, rights and freedoms.

v. Right to data portability. You may request to receive your Personal Data, which you have provided to us, in a structured, commonly used machine-readable format and transmit those data to another controller without hindrance from us, where the processing is based on consent or a contract and the processing is carried out by automated means; in these cases you may also request to have the Personal Data transmitted directly to another controller where this is technically feasible.

vi. Right to withdraw consent. You may withdraw your consent at any time for the future where processing is based on your consent, without affecting the lawfulness of processing based on consent before its withdrawal.

vii. Right to object. You have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data which is based on our or a third party’s legitimate interests.

We then will no longer process your Personal Data for the purpose to which you have objected unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Where we process your Personal Data for direct marketing purposes based on our or a third party’s legitimate interests, you have the right to object at any time to the processing of your Personal Data for such direct marketing. We then will no longer process your Personal Data for direct marketing purposes.

viii. Right to lodge a complaint. You may lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of an alleged infringement if you consider that the processing of your Personal Data infringes the GDPR.

A list of the European supervisory authorities can be found here.

In Wolfsburg, where Volkswagen Group Info Services AG is headquartered, the competent supervisory authority is: Die Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstrasse 5, 30159 Hannover, poststelle@lf.niedersachsen.de.

Please address your requests to exercise your rights to privacy@cariad.technology (with the exception of the right to lodge a complaint with a supervisory authority).

11. No automated decision-making

In the context of this website no automated decision-making takes place.

12. Changes to this Privacy Policy

We reserve the right to amend or modify this Privacy Policy at any time to ensure compliance with applicable laws. Please check regularly whether this Privacy Policy has been updated.

This Privacy Policy has been updated last in September 2023.

13. Annex definitions

The terms and expressions in capital letters used in this Privacy Policy have the meanings set forth below. Additionally, the definitions included in Art. 4 of the GDPR shall apply.

“Affiliate” shall mean any entity which is directly or indirectly controlled by Volkswagen AG. ‘Control’ means direct or indirect ownership or domination of more than 50% of the voting interest of the respective entity.

“Controller”, “we”, “us”, “our” shall mean Volkswagen Group Info Services AG which is the controller of your Personal Data according to section no. 2 in the Policy.

“Data Hub” shall mean the website (drivesomethinggreater.com) provided by Volkswagen Group Info Services AG which:

• publicly informs about the company Volkswagen Group Info Services AG and its data products;
• enables a log in area for B2B customers to acquire licenses for the use of specific data sets;
• provides contact information about Volkswagen Group Info Services AG;
• enables B2B customers to access the Volkswagen Group Info Services AG Data Hub Sandbox for testing purposes;
• allows B2C Customers (data subjects) to consent to personalized data products;
• enables Volkswagen Group Info Services AG to fulfill GDPR data subjects rights

“EEA” shall mean European Economic Area.

“EU” shall mean European Union.

“GDPR” shall mean the General Data Protection Regulation (Regulation (EU) 2016/679).

“Personal Data” shall mean any information relating to an identified or directly or indirectly identifiable living individual.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

“Volkswagen Group” means the Volkswagen Aktiengesellschaft, and its affilitated companies, Berliner Ring 2, 38440 Wolfsburg, Germany.